API Security Priorities and Gaps: Insights from Annual Trends Report

Each year, our Annual Trends Report takes a close look at how organizations protect their applications in the real world. Built on findings from a survey sent to more than 40,000 professionals across roles, industries and regions worldwide, the report reflects the latest practices, technologies and methodologies used in application security.

This year, we made API security a key area of focus, recognizing its expanding influence in modern application workflows. Our findings reveal not only where teams are focusing, but also where challenges remain.

Here’s a look at the API-specific data.

Top Priorities: Scanning, Monitoring and Discovery

When security leaders map out their strategies for the coming year, they aren't guessing. They’re directing budgets toward technologies that provide visibility, continuous monitoring and early detection of API risks.

According to the report, three key areas dominate the conversation:

1. API scanning (30%)
2. API monitoring (27%)
3. API discovery (19%)

Scanning, monitoring, and discovery aren’t just buzzwords. Each represents a critical layer in a comprehensive API security strategy, and together they highlight where teams are investing time and resources. Let’s take a closer look at how each priority shapes the security landscape, starting with the most emphasized. 

1. API Scanning Takes the Lead

It’s no surprise that API scanning emerges as the top priority, capturing 30% of focus. For security teams, it’s the first line of defense, providing immediate visibility into potential vulnerabilities. Using robust scanning techniques, organizations target the “low-hanging fruit”—the obvious flaws attackers are most likely to exploit first.

2. The Rise of API Monitoring

Close behind scanning is API monitoring, cited as a priority by 27% of respondents. 

APIs can be perfectly coded but still abused. An attacker might use legitimate credentials to scrape data or overwhelm servers, making authentication, authorization and monitoring just as critical as secure coding. This shift suggests that organizations are moving beyond just "secure code" and thinking about "secure operations."

3. The Need for Discovery

Coming in third at 19% is API discovery. This addresses the problem of "shadow” and “zombie” APIs - endpoints that developers spin up but security teams might not know about. 

As microservice architectures grow more complex, keeping an inventory of every endpoint becomes a massive challenge. Prioritizing discovery means organizations are acknowledging that their API sprawl is a significant risk factor.

Rounding Out the List

The remaining priorities highlight a focus on foundational practices and advanced techniques. API Training and Awareness is a priority for 18% of organizations. This is crucial for embedding secure practices from the very start. And API Fuzzing, a more advanced technique that involves throwing random data at an API to see how it breaks, accounts for 6% of the focus.

The Assessment Gap

While the priorities above emphasize proactive defense, the report also offers a contrasting perspective. We asked organizations how often they actually conduct security assessments of their APIs. The results were: 

The "Never" Category

The largest portion of respondents (33%) admitted they never conduct security assessments on their APIs. In other words, one in three organizations is deploying APIs without verifying their security. 

The "Infrequent" Category

The data doesn't get much better for the rest:

• 26% assess "occasionally"
• 21% assess "rarely"

In a fast-moving API environment, checking security "occasionally" can leave attackers with massive windows of opportunity. If you release a vulnerability on Tuesday but don't assess your security until next month, you’re exposed for weeks.

The Minority of ‘Best Practice’

Only 20% of respondents stated that their organization conducts API security assessments regularly. This provides continuous visibility into API behavior, helping teams monitor changes, identify potential issues early, and maintain a clear understanding of their security posture over time.

Why this Disconnect Matters

This gap between intent (prioritizing scanning and monitoring) and action (actually assessing regularly) is where breaches happen. It suggests that while some organizations are maturing, many are still developing their approach.

“The finding that 33% of organizations never perform API security assessments is a critical reminder of the visibility crisis facing modern AppSec. In the new Agentic AI economy, an unassessed API isn't just a data risk, it's an unauthorized action risk”

 

- Eric Schwake, Director of Cybersecurity Strategy, Salt Security

Here’s why this matters:

• False confidence: Organizations might buy a security tool and feel safe, but without regular, structured assessments, they may not be using it effectively or interpreting its results correctly.
• Compliance risks: Many regulations (like GDPR, PCI-DSS, or HIPAA) require regular security testing. Falling into the "never" or "rarely" category puts you at greater legal risk.
• Accumulated debt: Every unassessed API adds to your security debt. Fixing a vulnerability a year after deployment is far more expensive and difficult than fixing it during a regular assessment cycle.

Closing the Gap

While many organizations recognize the importance of scanning, monitoring, and discovery, far fewer have operationalized these priorities into consistent, repeatable security processes. Without structured workflows, clear ownership and defined assessment cycles, even well-intentioned security efforts can become ad hoc. Closing this gap requires moving from isolated activities to integrated, continuous API security practices embedded into everyday operations. 

HCL AppScan API Security empowers teams with continuous discovery, posture governance, comprehensive testing and monitoring directly into their workflows—strengthening and sustaining API security over time. 

Learn how HCL AppScan can elevate your API security strategy. Contact us today to get started.